4 files changed, 43 insertions, 20 deletions

diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index bcc38792a..15642db64 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -49,6 +49,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -78,7 +79,7 @@ libradius_la_LIBADD =
 am_libradius_la_OBJECTS = radius_message.lo radius_socket.lo \
 	radius_client.lo radius_config.lo
 libradius_la_OBJECTS = $(am_libradius_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
@@ -104,6 +105,7 @@ AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
@@ -198,11 +200,14 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
@@ -219,11 +224,12 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -239,6 +245,7 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
 p_plugins = @p_plugins@
@@ -248,7 +255,6 @@ pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
index 17fa7357b..77f9b0398 100644
--- a/src/libradius/radius_message.c
+++ b/src/libradius/radius_message.c
@@ -286,14 +286,17 @@ METHOD(radius_message_t, add, void,
 	this->msg->length = htons(ntohs(this->msg->length) + attribute->length);
 }
 
-METHOD(radius_message_t, sign, void,
+METHOD(radius_message_t, sign, bool,
 	private_radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
 	hasher_t *hasher, signer_t *signer, rng_t *rng, bool msg_auth)
 {
 	if (rng)
 	{
 		/* build Request-Authenticator */
-		rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
+		if (!rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator))
+		{
+			return FALSE;
+		}
 	}
 	else
 	{
@@ -315,9 +318,12 @@ METHOD(radius_message_t, sign, void,
 		/* build Message-Authenticator attribute, using 16 null bytes */
 		memset(buf, 0, sizeof(buf));
 		add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
-		signer->get_signature(signer,
+		if (!signer->get_signature(signer,
 				chunk_create((u_char*)this->msg, ntohs(this->msg->length)),
-				((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5);
+				((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5))
+		{
+			return FALSE;
+		}
 	}
 
 	if (!rng)
@@ -326,9 +332,13 @@ METHOD(radius_message_t, sign, void,
 
 		/* build Response-Authenticator */
 		msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
-		hasher->get_hash(hasher, msg, NULL);
-		hasher->get_hash(hasher, secret, this->msg->authenticator);
+		if (!hasher->get_hash(hasher, msg, NULL) ||
+			!hasher->get_hash(hasher, secret, this->msg->authenticator))
+		{
+			return FALSE;
+		}
 	}
+	return TRUE;
 }
 
 METHOD(radius_message_t, verify, bool,
@@ -357,9 +367,9 @@ METHOD(radius_message_t, verify, bool,
 		}
 
 		/* verify Response-Authenticator */
-		hasher->get_hash(hasher, msg, NULL);
-		hasher->get_hash(hasher, secret, buf);
-		if (!memeq(buf, res_auth, HASH_SIZE_MD5))
+		if (!hasher->get_hash(hasher, msg, NULL) ||
+			!hasher->get_hash(hasher, secret, buf) ||
+			!memeq(buf, res_auth, HASH_SIZE_MD5))
 		{
 			DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed");
 			return FALSE;
diff --git a/src/libradius/radius_message.h b/src/libradius/radius_message.h
index 6d0df53c3..f9c57c5ef 100644
--- a/src/libradius/radius_message.h
+++ b/src/libradius/radius_message.h
@@ -257,8 +257,9 @@ struct radius_message_t {
 	 * @param hasher		MD5 hasher
 	 * @param rng			RNG to create Request-Authenticator, NULL to omit
 	 * @param msg_auth		calculate and add Message-Authenticator
+	 * @return				TRUE if signed successfully
 	 */
-	void (*sign)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
+	bool (*sign)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
 				 hasher_t *hasher, signer_t *signer, rng_t *rng, bool msg_auth);
 
 	/**
diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c
index 048c8814e..ba7cb14b0 100644
--- a/src/libradius/radius_socket.c
+++ b/src/libradius/radius_socket.c
@@ -148,8 +148,11 @@ METHOD(radius_socket_t, request, radius_message_t*,
 	/* set Message Identifier */
 	request->set_identifier(request, this->identifier++);
 	/* sign the request */
-	request->sign(request, NULL, this->secret, this->hasher, this->signer,
-						   rng, rng != NULL);
+	if (!request->sign(request, NULL, this->secret, this->hasher, this->signer,
+					   rng, rng != NULL))
+	{
+		return NULL;
+	}
 
 	if (!check_connection(this, fd, port))
 	{
@@ -257,8 +260,11 @@ static chunk_t decrypt_mppe_key(private_radius_socket_t *this, u_int16_t salt,
 	while (c < C.ptr + C.len)
 	{
 		/* b(i) = MD5(S + c(i-1)) */
-		this->hasher->get_hash(this->hasher, this->secret, NULL);
-		this->hasher->get_hash(this->hasher, seed, p);
+		if (!this->hasher->get_hash(this->hasher, this->secret, NULL) ||
+			!this->hasher->get_hash(this->hasher, seed, p))
+		{
+			return chunk_empty;
+		}
 
 		/* p(i) = b(i) xor c(1) */
 		memxor(p, c, HASH_SIZE_MD5);
@@ -358,14 +364,14 @@ radius_socket_t *radius_socket_create(char *address, u_int16_t auth_port,
 		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
 	);
 
-	if (!this->hasher || !this->signer || !this->rng)
+	if (!this->hasher || !this->signer || !this->rng ||
+		!this->signer->set_key(this->signer, secret))
 	{
 		DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
 		destroy(this);
 		return NULL;
 	}
 	this->secret = secret;
-	this->signer->set_key(this->signer, secret);
 	/* we use a random identifier, helps if we restart often */
 	this->identifier = random();